-
-
Notifications
You must be signed in to change notification settings - Fork 109
/
file_log_vtquery.py
51 lines (41 loc) · 1.67 KB
/
file_log_vtquery.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
"""Run a VirusTotal Query on Extracted File Hashes"""
from __future__ import print_function
import os
import sys
import argparse
from pprint import pprint
# Local imports
from zat import bro_log_reader
from zat.utils import vt_query
if __name__ == '__main__':
"""Run a VirusTotal Query on Extracted File Hashes"""
# Collect args from the command line
parser = argparse.ArgumentParser()
parser.add_argument('bro_log', type=str, help='Specify a bro log to run BroLogReader test on')
args, commands = parser.parse_known_args()
# Check for unknown args
if commands:
print('Unrecognized args: %s' % commands)
sys.exit(1)
# Sanity check that this is a file log
if 'files' not in args.bro_log:
print('This example only works with Zeek files.log files..')
sys.exit(1)
# File may have a tilde in it
if args.bro_log:
args.bro_log = os.path.expanduser(args.bro_log)
# Create a VirusTotal Query Class
vtq = vt_query.VTQuery()
# Run the bro reader on a given log file
reader = bro_log_reader.BroLogReader(args.bro_log, tail=True)
for row in reader.readrows():
file_sha = row.get('sha256', '-') # Zeek uses - for empty field
if file_sha == '-':
file_sha = row.get('sha1', '-') # Zeek uses - for empthy field
if file_sha == '-':
print('Should not find a sha256 or a sha1 key! Skipping...')
continue
# Make the query with either sha
results = vtq.query_file(file_sha)
if results.get('positives', 0) > 1: # At least two hits
pprint(results)